Wireless IPS (wIPS) & Communication Protocols

Wireless IPS (wIPS) & Communication Protocols

Let's talk about Wireless Intrusion Prevention System (wIPS); Communication protocol used in Wireless Intrusion Prevention System (wIPS) and modes of Wireless Intrusion Prevention System (wIPS). 

Wireless Intrusion Prevention System (wIPS)
Providing wireless security monitoring 24x7x365, Cisco wIPS architecture provides scalable monitoring. There are several pieces of a unified security monitoring solution that work together. 

In the wireless interconnection path, wireless Lan controllers and the Prime Infrastructure run wIPS services, while wIPS-enabled Mobility Services Engines and access points in wIPS mode, as well as WSM modules and CleanAir enabled, make up the functional components of wIPS solution architecture.

Fig 1.1- wIPS Architecture with Prime and DNA C

wIPS Communication Protocols

  • CAPWAP (Control and Provisioning of Wireless Access Points) : This protocol is utilized for communication between Access Points and controllers. It provides a bi-directional tunnel in which alarm information is shuttled to the controller and configuration information is pushed to the Access Point. CAPWAP control messages are DTLS encrypted and CAPWAP data has the option to be DTLS encrypted. UDP 5246 and 5247.
  • NMSP (Network Mobility Services Protocol) : The protocol used for communication between Wireless LAN Controllers and the Mobility Services Engine. In the case of a wIPS Deployment, this protocol provides a pathway for alarm information to be aggregated from controllers to the MSE and for wIPS configuration information to be pushed to the controller. This protocol is encrypted. Controller TCP Port: 16113
  • SOAP/XML (Simple Object Access Protocol) : The method of communication between the MSE and PI. This protocol is used to distribute configuration parameters to the wIPS service running on the MSE. MSE TCP Port: 443
  • SNMP (Simple Network Management Protocol) : This protocol is used to forward wIPS alarm information from the Mobility Services Engine to the Prime Infrastructure. It is also utilized to communicate rogue access point information from the Wireless LAN Controller to the Prime Infrastructure.

wIPS Modes of Operation
There are three modes of operation or deployment wIPS can be done. 

  • Enhanced Local Mode : This is like Local Mode, providing wireless service to client, but when scanning off-channel, the radio dwells on the channel for an extended period of time, allowing enhanced attack detection.
  • wIPS Monitor Mode AP : This provides constant channel scanning with attack detection and forensics (packet capture) capabilities. A monitor mode AP is always “Off-Channel” but cannot serve clients.
  • 3rd Radio as wIPS : In the case of Cisco 4800 series wave 2 access point has a built in third radio which can be leveraged to provide dedicated wIPS scanning while the other two radios can continue operation as client serving.